Select Page

Data Protection and Mediation when it goes wrong


In May 2018, new legislation came into force that gave individuals more control over personal data and what data can be held by organisations. The General Data Protection Regulation (GDPR), and the Data Protection Act 2018 contain provisions and requirements on the processing of personal data of individuals within the European Economic Area.


It is perhaps worth clarifying that events of 1stJanuary 2021 will not have affected this European law as it has now been enshrined within UK law by the Data Protection Act.  The United Kingdom is therefore still bound by the GDPR. Therefore, those that control this data must have appropriate technical and organisational measures to protect the data they collect and obtain consent for its collections and disclosure where required.


Under the GDPR, both private and public organisations are required to obtain specific consent to hold the information for the purpose for which they are using and, further, to have told the owner of the information why they holding the information and how long they are intending to keep the information.  This is fundamental and is set out in the privacy notices which we often see when we agree to let new organisations, such as banks or internet shopping contacts, take our details.


What happens when data handling goes wrong?


The most common problem arises when data is disclosed without the owner’s consent or is disclosed to an unauthorised third party, either accidentally or deliberately.  


However, other issues can arise; for example, information can be lost or inaccurate information may be held which has a material impact on an individual.  A key example of this would be criminal records or health information which, if inaccurate, would be fundamental to a person’s wellbeing or their ability to pursue their livelihood.


What steps are available?


If any organisation is holding inaccurate or incomplete data then an individual would have the right to seek “rectification” as it is described by the Information Commissioner’s Office (ICO), the UK’s data protection regulator.   This can be made by complaining to the organisation, to the ICO or through the courts or via a mediation process.   Any organisation or the ICO will look for evidence as to why the data held is inaccurate or incomplete.


If there has been a data breach, such as an unauthorised disclosure of information, or personal data is lost, destroyed, or accessed in an unauthorised way, whether accidentally or intentionally, there may be an entitlement to compensation if distress or loss has been caused.


How do I access compensation for breach of data protection?


Data breach cases are not straightforward but are not insurmountable. In the first instance, it is a wise move to involve the ICO as they can investigate the incident and determine if an organisation is at fault for the breach. This can be a slow process and it isn’t necessary, but there is no doubt it will add weight to a compensation claim if they find there has been a breach.


However, it is important to note that the ICO does not award compensation; to be awarded compensation you will need to make a claim against the organisation who caused the data breach.  The ICO do penalise organisations who have been found guilty of a data breach, an example includes British Airways which was fined £20million for failing to protect the personal and financial details of more than 400,000 of its customers.


Who can I claim against for a breach of data protection?


A claim for a data breach can be brought against an individual or an organisation either in the public sector, private sector or charitable sector. In some cases, there may be more than one defendant.


The level of compensation will depend on the type of data breach and how this has affected you both financially and mentally. The law in this area is currently developing following the introduction of the recent legislation; the courts haven’t yet given any specific guidelines on what will be awarded.  


As with any claim for compensation it will be necessary to demonstrate the level of distress which has actually been caused by the data breach or, in the alternative, the financial loss which has been created.  This is not always easy and any organisation or, if the matter were pressed to a claim through the courts, a judge would be looking for important evidence of the distress or the loss.  


Methods of obtaining compensation including mediation


Whilst a claim for compensation can be pursued through the courts, this will inevitably incur court costs and will depend upon the risks of litigation.  If, for example, the losses cannot be wholly demonstrated, on the balance of probabilities, to have been caused by the data breach this may result in costs awards which would negate any successful outcome.


This is where a mediated settlement is helpful.  Not only can mediation assist in resolving a compensation claim but can also address rectification of data and any other related issues which may have arisen as a result of the data breach.  The flexibility of mediation is therefore particularly useful when addressing the issues of data protection and is a far less costly tool.


There is a large volume of information on the ICO website (, both about information rights generally and what actions are available if data has been mishandled, and this is a useful starting point with regard to any potential claim, whether it to be rectify data or to seek compensation.